frida / frida-tools Goto Github PK
View Code? Open in Web Editor NEWFrida CLI tools
License: Other
Frida CLI tools
License: Other
I understand that you might not always want to attach a thread to the JVM with Frida so Java.perform
is being used to make it explicit but in the repl it gets a bit tiresome to type it out each time I want to run something. Assuming there isn't a risk with doing automatically I suggest adding a feature that will wrap the repl prompt with Java.perform
.
Of course it will be configurable with a command from the repl (%autoperform
and %noautoperform
I think) and can be off by default if it seems risky (in that case we should probably add a prompt to tell the user about this feature). What do you think @oleavr?
can't use frida-trace with apps that read from stdin. it should just handle ^C not ^D
including different os.
trace child process automatically
optparse is deprecated since Python 3.2 (somewhere around 2011) so we should probably update the code to use argparse. It will also improve the help message
It would be good to have support to trace profiler information using frida-trace.
FileMonitor
does not seem to be triggering under MacOSX (Sierra), so handlers are not reloaded when files are updated.
I couldn't really debug into it so I updated my tracer to use https://pythonhosted.org/watchdog/ which is a common package, cross-platform, heavily used/tested.
Is this a PR that could be of interest?
would be friendly to have an option or environment variable to disable the usage of colorama so that terminal escape sequences aren't emitted. this way colors aren't imposed on the user and they have a choice.
I is will be nice to have startup parameters to spawned app.
frida-ps doesn't run on Ubuntu18.04 aarch64 with python 3.8.10
is this not supported on systems with older glibc?
$ frida-ps -U
***
Failed to load the Frida native extension: /lib/aarch64-linux-gnu/libc.so.6: version `GLIBC_2.28' not found (required by /home/ubuntu/.envs/data/lib/python3.8/site-packages/_frida.cpython-38-aarch64-linux-gnu.so)
Please ensure that the extension was compiled for Python 3.x.
***
Traceback (most recent call last):
File "/home/ubuntu/.envs/data/bin/frida-ps", line 8, in <module>
sys.exit(main())
File "/home/ubuntu/.envs/data/lib/python3.8/site-packages/frida_tools/ps.py", line 8, in main
from frida_tools.application import ConsoleApplication
File "/home/ubuntu/.envs/data/lib/python3.8/site-packages/frida_tools/application.py", line 23, in <module>
import frida
File "/home/ubuntu/.envs/data/lib/python3.8/site-packages/frida/__init__.py", line 24, in <module>
raise ex
File "/home/ubuntu/.envs/data/lib/python3.8/site-packages/frida/__init__.py", line 7, in <module>
import _frida
ImportError: /lib/aarch64-linux-gnu/libc.so.6: version `GLIBC_2.28' not found (required by /home/ubuntu/.envs/data/lib/python3.8/site-packages/_frida.cpython-38-aarch64-linux-gnu.so)
$ python -V
Python 3.8.10
$ python -V
Python 3.8.10
$ ldd /home/ubuntu/.envs/data/lib/python3.8/site-packages/_frida.cpython-38-aarch64-linux-gnu.so
/home/ubuntu/.envs/data/lib/python3.8/site-packages/_frida.cpython-38-aarch64-linux-gnu.so: /lib/aarch64-linux-gnu/libc.so.6: version `GLIBC_2.28' not found (required by /home/ubuntu/.envs/data/lib/python3.8/site-packages/_frida.cpython-38-aarch64-linux-gnu.so)
linux-vdso.so.1 (0x0000ffff97982000)
libdl.so.2 => /lib/aarch64-linux-gnu/libdl.so.2 (0x0000ffff95ece000)
libpthread.so.0 => /lib/aarch64-linux-gnu/libpthread.so.0 (0x0000ffff95ea2000)
libresolv.so.2 => /lib/aarch64-linux-gnu/libresolv.so.2 (0x0000ffff95e7d000)
libm.so.6 => /lib/aarch64-linux-gnu/libm.so.6 (0x0000ffff95dc4000)
libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff95c6b000)
/lib/ld-linux-aarch64.so.1 (0x0000ffff97956000)
not sure where we built the pip packages for this. It seems the pip package for this problematic one was built on ubuntu20.
We should consider build from an older system in order to have better binary compatibility.
A common use case I see is passing some helper script files to the REPL so it would be easier to work with. This and the configuration flags I'm adding (#76, #82) and plan to add (#83, #84), can make the frida command repetitive and long. Maybe we could add a simple configuration file which is simply a list of REPL commands? I'm thinking of something like this:
%autoperform on
%autoreload off
%load -y ~/Scripts/Frida/repl-utils.js
frida-trace -U -p 3291 --runtime v8
Failed to start tracing: [Errno 2] No such file or directory: 'C:\Users\user\AppData\Local\Programs\Python\Python38\lib\site-packages\frida_tools-10.4.1-py3.8.egg\frida_tools\tracer_agent.js'
Some APPs have Frida detection, which needs to be bypassed first and then traced.I would like to add a delayed injection option
It can be a bit tricky because we need to give the user indication that it will erase the REPL state, maybe with a prompt and a flag that always says yes? Something like that:
%load [-y] PATH
$ man frida-trace
No manual entry for frida-trace
$ uname -a
Darwin <hostname> 20.5.0 Darwin Kernel Version 20.5.0: Sat May 8 05:10:33 PDT 2021; root:xnu-7195.121.3~9/RELEASE_X86_64 x86_64
$ pyenv virtualenv 3.9.5 3.9.5-frida-tools
$ pyenv local 3.9.5-frida-tools
$ pip install --upgrade pip
$ pip install --upgrade setuptools
$ python --version
Python 3.9.5
$ pip list -v
Package Version Location Installer
---------- ------- ---------------------------------------------------------------------------------------- ---------
pip 21.1.2 /Users/iosbuild/.pyenv/versions/3.9.5/envs/3.9.5-frida-tools/lib/python3.9/site-packages pip
setuptools 57.0.0 /Users/iosbuild/.pyenv/versions/3.9.5/envs/3.9.5-frida-tools/lib/python3.9/site-packages pip
frida-tools
$ pip install frida-tools
$ pyenv which frida-ls-devices
/Users/iosbuild/.pyenv/versions/3.9.5-frida-tools/bin/frida-ls-devices
$ pyenv which frida-ps
/Users/iosbuild/.pyenv/versions/3.9.5-frida-tools/bin/frida-ps
$ frida-ls-devices
Id Type Name
---------------------------------------- ------ ------------
local local Local System
<serial-one-redacted> usb Mi A3
<serial-two-redacted> usb iPhone
$ firda-ps --device <serial-one-redacted>
<produces a list of processes>
$ frida-ps --device <serial-two-redacted>
Failed to enumerate processes: channel closed
zsh: segmentation fault frida-ps --device <serial-two-redacted>
In the segmentation fault above, the "Failed to enumerate processes" sometimes is not visible, and only the segmentation fault message is there. I am also attaching a crash report from /Users/iosbuild/Library/Logs/DiagnosticReports/
, which shows the crash happens in frida-main-loop
.
Same segmentation fault occurs if I build Frida from source on that machine following these instructions.
$ ./build/frida-macos-x86_64/bin/frida-ps --device <serial-two-redacted>
Failed to enumerate processes: channel closed
zsh: segmentation fault ./build/frida-macos-x86_64/bin/frida-ps --device <serial-two-redacted>
Finally, Frida worked on that machine one week ago (21st of May), so something changed either on the machine or for Frida in the last week.
I am using the r1832.ko, ipv4.ko and ipv6.ko from this and trying to get the internet working on THEA500 Mini using a TP-Link UE300 Ethernet Adapter(https://www.tp-link.com/uk/home-networking/computer-accessory/ue300/), its the only one I could find that has a r1853 chip in it but its only connect to ipv6 only(you can see it on my routers settings page under devices attached) and not connecting via ipv4, it has a ip v4 ip address on THEA500 but never shows in my routers settings page...?
Maybe you can help...?
I am Spannernick.
From THEA500 Putty...
Ethernet 0
eth0 Link encap:Ethernet HWaddr 50:3E:AA:8B:30:66
inet addr:192.168.0.4 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:49 (49.0 B) TX bytes:90 (90.0 B)
dmesg...
[ 39.020887] NET: Registered protocol family 2
[ 39.021445] TCP established hash table entries: 256 (order: 0, 4096 bytes)
[ 39.021462] TCP bind hash table entries: 256 (order: 0, 4096 bytes)
[ 39.021471] TCP: Hash tables configured (established 256 bind 256)
[ 39.021932] TCP: reno registered
[ 39.021948] UDP hash table entries: 256 (order: 1, 8192 bytes)
[ 39.021962] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[ 39.051931] NET: Registered protocol family 10
[ 39.071215] usbcore: registered new interface driver r8152
[ 39.242455] usb 5-1: reset high-speed USB device number 2 using xhci-hcd
[ 39.260374] xhci-hcd xhci-hcd.0.auto: xHCI xhci_drop_endpoint called with disabled ep ffffffc01b0ffd80
[ 39.260381] xhci-hcd xhci-hcd.0.auto: xHCI xhci_drop_endpoint called with disabled ep ffffffc01b0ffdc0
[ 39.260387] xhci-hcd xhci-hcd.0.auto: xHCI xhci_drop_endpoint called with disabled ep ffffffc01b0ffe00
[ 39.410032] r8152 5-1:1.0 eth0: v2.15.0 (2021/04/15)
[ 39.410043] r8152 5-1:1.0 eth0: This product is covered by one or more of the following patents:
[ 39.410043] US6,570,884, US6,115,776, and US6,327,625.
[ 39.410043]
[ 40.110443] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[ 41.003175] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 41.003694] r8152 5-1:1.0 eth0: carrier on
Modules...
```Module Size Used by Tainted: G
r8152 186429 0
ipv6 292654 16
ipv4 485168 12 ipv6,[permanent]
rgl_gpiokey 4555 0
mali_kbase 299796 0
nand 420597 2"
I tried to use the very cool frida-apk
tool with a simple pinning demo app, but for some reason the APK did not end up as debuggable on my Pixel 3. This led me down a terrible rabbit hole into binary XML. To cut a long story short, I have discovered that I can "fix" the generated APK by moving the debuggable attribute to an earlier position in the same tag. I'm not sure why this makes things work, but maybe someone has any ideas.
Here's a minimal repro script that creates two variants of a demo apk. Variant A exhibits the same behavior as if I'm just running frida-apk
, variant B is "fixed" by reordering the attributes (see patch below).
#!/usr/bin/sh
# get dependencies
wget -nc -q \
https://github.com/httptoolkit/android-ssl-pinning-demo/releases/download/v1.2.1/pinning-demo.apk \
https://github.com/hzw1199/xml2axml/releases/download/1.1.0/xml2axml-1.1.0-SNAPSHOT.jar
# add android:debuggable attribute
frida-apk pinning-demo.apk
# the generated pinning-demo.d.apk already exhibits the same problem as the A variant below.
# The point of the A variant is to make sure that none of the conversion steps we now do fixes it somehow.
# extract manifest from new apk
unzip -p pinning-demo.d.apk AndroidManifest.xml > AndroidManifest.orig.xml
# binary xml -> plaintext xml, create copy for variant B.
java -jar xml2axml-1.1.0-SNAPSHOT.jar d AndroidManifest.orig.xml AndroidManifest.a.xml
cp AndroidManifest.a.xml AndroidManifest.b.xml
# Patch variant B. We only move the debuggable attribute up.
patch << EOM
--- AndroidManifest.b.xml 2022-03-06 02:02:30.940230800 +0100
+++ AndroidManifest.b.xml 2022-03-06 02:02:55.030781200 +0100
@@ -22,13 +22,13 @@
android:theme="@7F1001EF"
android:label="@7F0F001B"
android:icon="@7F0C0000"
+ android:debuggable="true"
android:allowBackup="true"
android:supportsRtl="true"
android:extractNativeLibs="false"
android:networkSecurityConfig="@7F120000"
android:roundIcon="@7F0C0001"
android:appComponentFactory="androidx.core.app.CoreComponentFactory"
- android:debuggable="true"
>
<activity
android:name="tech.httptoolkit.pinning_demo.MainActivity"
EOM
# plaintext xml -> binary xml
java -jar xml2axml-1.1.0-SNAPSHOT.jar e AndroidManifest.a.xml AndroidManifest.bin.a.xml
java -jar xml2axml-1.1.0-SNAPSHOT.jar e AndroidManifest.b.xml AndroidManifest.bin.b.xml
# create a.apk and b.apk
cp pinning-demo.d.apk pinning-demo.d.a.apk
cp pinning-demo.d.apk pinning-demo.d.b.apk
# update both variants with the new binary manifests.
mv AndroidManifest.bin.a.xml AndroidManifest.xml
zip pinning-demo.d.a.apk AndroidManifest.xml
rm AndroidManifest.xml
mv AndroidManifest.bin.b.xml AndroidManifest.xml
zip pinning-demo.d.b.apk AndroidManifest.xml
rm AndroidManifest.xml
# zipalign and sign APKs for testing
objection signapk pinning-demo.d.a.apk
objection signapk pinning-demo.d.b.apk
rm pinning-demo.d.a.apk pinning-demo.d.b.apk
echo "You now have two apks: pinning-demo.d.a.objection.apk and pinning-demo.d.b.objection.apk, which only differ by the patch above."
echo "Curiously, only the B variant appears as debuggable on a Pixel 3"
Some more notes:
apktool d
followed by apktool build
. For some reasons this also reorders the attributes, I haven't figured out yet why that is the case .debuggable
string is inserted after the padding in the StringPool Chunk, but that shouldn't cause any issues. I fixed it manually once, which didn't change the overall outcome. Also, the issue persists after doing a roundtrip through xml2axml.I think it would be nice to see the output like this:
Started tracing 1908 functions. Press Ctrl+C to stop.
/* TID 0x5ec3 */
621 ms std::__1::__shared_ptr_pointer<ndk::SharedRefBase*, std::__1::default_delete<ndk::SharedRefBase>, std::__1::allocator<ndk::SharedRefBase> >::__on_zero_shared_weak()
622 ms | std::__1::__shared_ptr_emplace<android::MediaFilter::BufferChannel, std::__1::allocator<android::MediaFilter::BufferChannel> >::__on_zero_shared_weak()
622 ms std::__1::__shared_ptr_pointer<ndk::SharedRefBase*, std::__1::default_delete<ndk::SharedRefBase>, std::__1::allocator<ndk::SharedRefBase> >::__on_zero_shared_weak()
623 ms | std::__1::__shared_ptr_emplace<android::MediaFilter::BufferChannel, std::__1::allocator<android::MediaFilter::BufferChannel> >::__on_zero_shared_weak()
/* TID 0x5ecb */
623 ms std::__1::__shared_ptr_pointer<ndk::SharedRefBase*, std::__1::default_delete<ndk::SharedRefBase>, std::__1::allocator<ndk::SharedRefBase> >::__on_zero_shared_weak()
623 ms | std::__1::__shared_ptr_emplace<android::MediaFilter::BufferChannel, std::__1::allocator<android::MediaFilter::BufferChannel> >::__on_zero_shared_weak()
/* TID 0x5ec3 */
624 ms std::__1::__shared_ptr_pointer<ndk::SharedRefBase*, std::__1::default_delete<ndk::SharedRefBase>, std::__1::allocator<ndk::SharedRefBase> >::__on_zero_shared_weak()
624 ms | std::__1::__shared_ptr_emplace<android::MediaFilter::BufferChannel, std::__1::allocator<android::MediaFilter::BufferChannel> >::__on_zero_shared_weak()
624 ms android::VideoFrameSchedulerBase::~VideoFrameSchedulerBase()
624 ms std::__1::__shared_ptr_pointer<ndk::SharedRefBase*, std::__1::default_delete<ndk::SharedRefBase>, std::__1::allocator<ndk::SharedRefBase> >::__on_zero_shared_weak()
624 ms | std::__1::__shared_ptr_emplace<android::MediaFilter::BufferChannel, std::__1::allocator<android::MediaFilter::BufferChannel> >::__on_zero_shared_weak()
624 ms std::__1::__shared_ptr_pointer<ndk::SharedRefBase*, std::__1::default_delete<ndk::SharedRefBase>, std::__1::allocator<ndk::SharedRefBase> >::__on_zero_shared_weak()
624 ms | std::__1::__shared_ptr_emplace<android::MediaFilter::BufferChannel, std::__1::allocator<android::MediaFilter::BufferChannel> >::__on_zero_shared_weak()
624 ms std::__1::__shared_ptr_pointer<ndk::SharedRefBase*, std::__1::default_delete<ndk::SharedRefBase>, std::__1::allocator<ndk::SharedRefBase> >::__on_zero_shared_weak()
624 ms | std::__1::__shared_ptr_emplace<android::MediaFilter::BufferChannel, std::__1::allocator<android::MediaFilter::BufferChannel> >::__on_zero_shared_weak()
/* TID 0x5eb2 */
625 ms std::__1::__shared_ptr_pointer<ndk::SharedRefBase*, std::__1::default_delete<ndk::SharedRefBase>, std::__1::allocator<ndk::SharedRefBase> >::__on_zero_shared_weak()
625 ms | std::__1::__shared_ptr_emplace<android::MediaFilter::BufferChannel, std::__1::allocator<android::MediaFilter::BufferChannel> >::__on_zero_shared_weak()
625 ms std::__1::__shared_ptr_pointer<ndk::SharedRefBase*, std::__1::default_delete<ndk::SharedRefBase>, std::__1::allocator<ndk::SharedRefBase> >::__on_zero_shared_weak()
625 ms | std::__1::__shared_ptr_emplace<android::MediaFilter::BufferChannel, std::__1::allocator<android::MediaFilter::BufferChannel> >::__on_zero_shared_weak()
626 ms std::__1::__shared_ptr_pointer<ndk::SharedRefBase*, std::__1::default_delete<ndk::SharedRefBase>, std::__1::allocator<ndk::SharedRefBase> >::__on_zero_shared_weak()
626 ms | std::__1::__shared_ptr_emplace<android::MediaFilter::BufferChannel, std::__1::allocator<android::MediaFilter::BufferChannel> >::__on_zero_shared_weak()
626 ms std::__1::__shared_ptr_pointer<ndk::SharedRefBase*, std::__1::default_delete<ndk::SharedRefBase>, std::__1::allocator<ndk::SharedRefBase> >::__on_zero_shared_weak()
626 ms | std::__1::__shared_ptr_emplace<android::MediaFilter::BufferChannel, std::__1::allocator<android::MediaFilter::BufferChannel> >::__on_zero_shared_weak()
626 ms std::__1::__shared_ptr_pointer<ndk::SharedRefBase*, std::__1::default_delete<ndk::SharedRefBase>, std::__1::allocator<ndk::SharedRefBase> >::__on_zero_shared_weak()
626 ms | std::__1::__shared_ptr_emplace<android::MediaFilter::BufferChannel, std::__1::allocator<android::MediaFilter::BufferChannel> >::__on_zero_shared_weak()
than like this:
Started tracing 1908 functions. Press Ctrl+C to stop.
/* TID 0x5f3a */
774 ms _ZNSt3__120__shared_ptr_pointerIPN3ndk13SharedRefBaseENS_14default_deleteIS2_EENS_9allocatorIS2_EEE21__on_zero_shared_weakEv()
775 ms | _ZNSt3__120__shared_ptr_emplaceIN7android11MediaFilter13BufferChannelENS_9allocatorIS3_EEE21__on_zero_shared_weakEv()
775 ms _ZNSt3__120__shared_ptr_pointerIPN3ndk13SharedRefBaseENS_14default_deleteIS2_EENS_9allocatorIS2_EEE21__on_zero_shared_weakEv()
775 ms | _ZNSt3__120__shared_ptr_emplaceIN7android11MediaFilter13BufferChannelENS_9allocatorIS3_EEE21__on_zero_shared_weakEv()
776 ms _ZNSt3__120__shared_ptr_pointerIPN3ndk13SharedRefBaseENS_14default_deleteIS2_EENS_9allocatorIS2_EEE21__on_zero_shared_weakEv()
776 ms | _ZNSt3__120__shared_ptr_emplaceIN7android11MediaFilter13BufferChannelENS_9allocatorIS3_EEE21__on_zero_shared_weakEv()
776 ms _ZN7android23VideoFrameSchedulerBaseD1Ev()
776 ms _ZNSt3__120__shared_ptr_pointerIPN3ndk13SharedRefBaseENS_14default_deleteIS2_EENS_9allocatorIS2_EEE21__on_zero_shared_weakEv()
776 ms | _ZNSt3__120__shared_ptr_emplaceIN7android11MediaFilter13BufferChannelENS_9allocatorIS3_EEE21__on_zero_shared_weakEv()
776 ms _ZNSt3__120__shared_ptr_pointerIPN3ndk13SharedRefBaseENS_14default_deleteIS2_EENS_9allocatorIS2_EEE21__on_zero_shared_weakEv()
776 ms | _ZNSt3__120__shared_ptr_emplaceIN7android11MediaFilter13BufferChannelENS_9allocatorIS3_EEE21__on_zero_shared_weakEv()
776 ms _ZNSt3__120__shared_ptr_pointerIPN3ndk13SharedRefBaseENS_14default_deleteIS2_EENS_9allocatorIS2_EEE21__on_zero_shared_weakEv()
776 ms | _ZNSt3__120__shared_ptr_emplaceIN7android11MediaFilter13BufferChannelENS_9allocatorIS3_EEE21__on_zero_shared_weakEv()
/* TID 0x5f25 */
778 ms _ZNSt3__120__shared_ptr_pointerIPN3ndk13SharedRefBaseENS_14default_deleteIS2_EENS_9allocatorIS2_EEE21__on_zero_shared_weakEv()
778 ms | _ZNSt3__120__shared_ptr_emplaceIN7android11MediaFilter13BufferChannelENS_9allocatorIS3_EEE21__on_zero_shared_weakEv()
778 ms _ZNSt3__120__shared_ptr_pointerIPN3ndk13SharedRefBaseENS_14default_deleteIS2_EENS_9allocatorIS2_EEE21__on_zero_shared_weakEv()
778 ms | _ZNSt3__120__shared_ptr_emplaceIN7android11MediaFilter13BufferChannelENS_9allocatorIS3_EEE21__on_zero_shared_weakEv()
778 ms _ZNSt3__120__shared_ptr_pointerIPN3ndk13SharedRefBaseENS_14default_deleteIS2_EENS_9allocatorIS2_EEE21__on_zero_shared_weakEv()
778 ms | _ZNSt3__120__shared_ptr_emplaceIN7android11MediaFilter13BufferChannelENS_9allocatorIS3_EEE21__on_zero_shared_weakEv()
I tried to put frida gadget, config and script files in same folder. Then, load it with System.load(frida). But my application stuck at waiting screen.
Is there anyway to solve it?
delete. issue opened by mistake
Seems like python-prompt-toolkit are adding their own support for dumb terminals.
(for examples prompt-toolkit/python-prompt-toolkit@35d510d)
It might be a good replacement for frida's dumb-terminal specific code in
https://github.com/frida/frida-tools/blob/master/frida_tools/repl.py
I haven't tried using it.
After upgrade to frida-tools 11.0.0, cannot access variables in scripts in the interactive shell
script:
var a = 0;
console.log(a);
run frida and print variable a
in the interactive shell:
❯ frida -f ./a -l ./a.js
____
/ _ | Frida 15.2.2 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to Local System (id=local)
Spawning `./a`...
0
Spawned `./a`. Use %resume to let the main thread start executing!
[Local::a ]-> a
ReferenceError: 'a' is not defined
Here is a simple program:
int
fx(int a)
{
a += 20;
return a;
}
int
main(int argc, char *argv[])
{
return fx(fx(10));
}
I compile this on macOS (bigSur) with Clang, and trace it:
0 ✓ [11:21:19 Fri Aug 27] ~/nobackup/frida/02
% gcc -g -O0 test.c
0 ✓ [11:21:24 Fri Aug 27] ~/nobackup/frida/02
% frida-trace ./a.out -i 'a.out!*'
Instrumenting...
fx: Auto-generated handler at "/Users/pt/nobackup/frida/02/__handlers__/a.out/fx.js"
main: Auto-generated handler at "/Users/pt/nobackup/frida/02/__handlers__/a.out/main.js"
Started tracing 2 functions. Press Ctrl+C to stop.
/* TID 0x103 */
100 ms main()
100 ms | fx()
100 ms | fx()
Process terminated
1 ✗ [11:21:31 Fri Aug 27] ~/nobackup/frida/02
Perfect. It created the __handler__
JavaScript and everything.
However, I do the same thing on Ubuntu with gcc, and Frida doesn't find the functions:
pt@serval:~/frida$ gcc -g -O0 test.c
pt@serval:~/frida$ frida-trace ./a.out -i 'a.out!*'
Started tracing 0 functions. Press Ctrl+C to stop.
Process terminated
...but they are in the symbol table with objdump -t
, and I can find them by walking the modules in the Frida JavaScript API.
What is the magic compiler switch I am missing? I tried visibility and export symbols with no luck.
When "frida-discover" is run to monitor the Chrome app (v 86.0.x.y) in Android 10, it dies with multiple error messages depending on the execution (as soon as it tries to run). Different crash samples are provided below.
The Frida environment is using version 12.11.18 in macOS and Python 3.8, and "frida-server" version 12.11.18 running as root in Android 10.
In this case "frida-discover" tries to trace all threads, and Frida dies. As a result, the app also dies:
$ frida-discover -U com.android.chrome
Tracing 47 threads. Press ENTER to stop.
Process terminated
Stopping...
$ frida-discover -U com.android.chrome
Failed to spawn: unable to find process with name 'com.android.chrome'
In this case, there is a trap via "libc" and "trichromelibrary":
$ frida-discover -U com.android.chrome
Tracing 49 threads. Press ENTER to stop.
Process crashed: Trace/BPT trap
***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/sargo/sargo:10/QQ2A.200405.005/6254899:user/release-keys'
Revision: 'MP1.0'
ABI: 'arm'
Timestamp: 2020-10-20 11:37:52+0200
pid: 5675, tid: 5719, name: RenderThread >>> com.android.chrome <<<
uid: 10189
signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
Abort message: 'RenderThread Looper POLL_ERROR!'
r0 00000000 r1 00001657 r2 00000006 r3 00000006
r4 00000006 r5 c3bfc930 r6 da29b254 r7 0000010c
r8 c3bfc930 r9 c3bfc8bc r10 c3bfc9b0 r11 d59eda20
ip c3bfc928 sp c3bfc870 lr ba335d9b pc ef032c74
backtrace:
#00 pc 00097c74 /apex/com.android.runtime/lib/bionic/libc.so!libc.so (offset 0x97000) (tgkill+12) (BuildId: 8c3173001a99af3ab544de85a610e066)
#01 pc 00348d99 /data/app/com.google.android.trichromelibrary_424009933-MLvtBvj9odLq1ZikiiIpiA==/base.apk
***
Stopping...
In this case, the script injection generates an exception and the script is destroyed:
$ frida-discover -U com.android.chrome
Injecting script...
Exception in thread Thread-1:
Traceback (most recent call last):
File "/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/threading.py", line 932, in _bootstrap_inner
self.run()
File "/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/threading.py", line 870, in run
self._target(*self._args, **self._kwargs)
File "/Users/<user>/Library/Python/3.8/lib/python/site-packages/frida_tools/application.py", line 635, in _run
work()
File "/Users/<user>/Library/Python/3.8/lib/python/site-packages/frida_tools/application.py", line 330, in _try_start
self._start()
File "/Users/<user>/Library/Python/3.8/lib/python/site-packages/frida_tools/discoverer.py", line 35, in _start
self._discoverer.start(self._session, self._runtime, self)
File "/Users/<user>/Library/Python/3.8/lib/python/site-packages/frida_tools/discoverer.py", line 89, in start
params = self._script.exports.start()
File "/Users/<user>/Library/Python/3.8/lib/python/site-packages/frida/core.py", line 401, in method
return script._rpc_request('call', js_name, args, **kwargs)
File "/Users/<user>/Library/Python/3.8/lib/python/site-packages/frida/core.py", line 26, in wrapper
return f(*args, **kwargs)
File "/Users/<user>/Library/Python/3.8/lib/python/site-packages/frida/core.py", line 333, in _rpc_request
raise result[2]
frida.InvalidOperationError: script is destroyed
It seems that the completion does not support calls to functions but instead of aborting the completion and not showing any suggestions the completion crash and show annoying error message to the user.
Aborting is probably the best short term solution but maybe a better completion using ternjs and TypeScript could be used instead. Is there something that would be welcomed? There are some trade off for the two options:
I use Ubuntu Desktop 16.04, frida-tools == 1.2.2, frida == 12.2.9
When I plugin 2 Nexus 5P, 1 Nexus5, 3 Nexus 6, total 6 devices, the frida-ls-devices only show 4 devices: 1 nexus 5P, 3 Nexus 6
Does frida support limited number of devices?
I haven't worked with GitHub Actions but it seems to be the obvious option if we are already using GitHub. Otherwise Sourcehut Build might be a good option.
I'm still unable to run the existing tests so help is welcomed
if write log("xa\\bcd\\nm")
in js files and run frida-trace some_exe
it would output
xcd
m
instead of
xa\bcd\nm
code page 65001 when running frida-trace
When spawn android process in Android Studio emulator (7.1.1 Android versuon, x86) with frida cmd line like this : frida -U - f com.anybodyapp.app -l workscript.js, script not worked without any error message. When this script load with attach (frida -U - n com.anybodyapp.app -l workscript.js) this worked perfect.
[USB::iPhone::Settings]-> O.bless(ptr('0x126ee71c0')).$ownMethods.parse error (line 15)
Thanks to @trufae for finding this.
EDIT: This appears to be Frida issue 226, but that issue was from 2017 and the the comments in the default handlers + documentation seem to imply attach() should work with floats?
Really simple example that isn't behaving as documented. I expected args
to be NativePointers according to the comments. Version 15.0.14.
C-code
#include <stdio.h>
void print_hello(int n, char a, float f) {
printf("hello %d %c %f\n", n, a, f);
}
int main(int argc, char *argv[]) {
print_hello(10, 'a', 3.141f);
return 0;
}
And the handler for print_hello
(abreviated):
onEnter(log, args, state) {
log('print_hello() enter');
log(args[0]);
log(args[1]);
log(args[2]);
log(args[2].readFloat());
},
And the output from frida-trace
:
% frida-trace -f a.out -i print_hello
Instrumenting...
print_hello: Loaded handler at "/Users/ptorelli/study/frida/01/__handlers__/a.out/print_hello.js"
hello 10 a 3.141000
Started tracing 1 function. Press Ctrl+C to stop.
/* TID 0x103 */
4 ms print_hello() enter
4 ms 0xa
4 ms 0x61
4 ms 0x7ffee3d99d90
4 ms -8.028827138591864e+21
4 ms print_hello() exit
Process terminated
I expected args[0] and args[1] to be pointers, they are instead the values.
args[2] looks like a pointer, but when i call readFloat()
on it I get random values.
The comments simply say these should be NativePointers.
Advice?
MacOS Big Sur, Apple clang version 12.0.0 (clang-1200.0.32.28)
Tried this on Ubuntu 20.04 with gcc 9.3.0 (-O0) and frida-trace can't even find print_hello (even if static).
prompt-toolkit has breaking change:
(like this: jupyter/jupyter_console#158)
$ frida Finder
Traceback (most recent call last):
File "/usr/local/bin/frida", line 11, in <module>
sys.exit(main())
File "/usr/local/lib/python3.7/site-packages/frida_tools/repl.py", line 23, in main
from prompt_toolkit.shortcuts import create_prompt_application, create_output, create_eventloop
ImportError: cannot import name 'create_prompt_application' from 'prompt_toolkit.shortcuts' (/usr/local/lib/python3.7/site-packages/prompt_toolkit/shortcuts/__init__.py)
For those who has encountered same problem, you can temporary downgrade by pip3 install 'prompt-toolkit==1.0.15'
--no-pause
behaviour was changed in a557bfe
hello.c
#include <stdio.h>
#include <unistd.h>
void
f (int n)
{
printf ("Number: %d\n", n);
}
int
main (int argc,
char * argv[])
{
int i = 0;
printf ("f() is at %p\n", f);
while (1)
{
f (i++);
sleep (1);
}
}
$ gcc -Wall hello.c -o hello
hello.js
Interceptor.attach(ptr("0x55c9f407e169"), {
onEnter(args) {
args[0] = ptr("1337");
}
})
./hello
f() is at 0x55c9f407e169
Number: 0
Number: 1
Number: 2
Number: 3
Number: 4
Number: 5
# since frida 16 --no-pause removed :(
frida hello -l hello.js
____
/ _ | Frida 16.0.1 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to Local System (id=local)
[Local::hello ]->
Is there any way to exit from [Local::hello ]->
after script loaded?
Build fingerprint: 'google/sdk_google_phone_x86/generic_x86:7.0/NYC/6696031:userdebug/dev-keys'
Revision: '0'
ABI: 'x86'
pid: 4359, tid: 4359, name: test.com >>> com.test.com <<<
signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
Abort message: 'art/runtime/java_vm_ext.cc:470] JNI DETECTED ERROR IN APPLICATION: obj == null'
eax 00000000 ebx 00001107 ecx 00001107 edx 00000006
esi bfc4ea0c edi bfc4e8a0
xcs 00000073 xds 0000007b xes 0000007b xfs 0000003b xss 0000007b
eip a9482424 ebp bfc4e920 esp bfc4e838 flags 00000282
backtrace:
#00 pc ffffe424 [vdso:a9482000] (__kernel_vsyscall+16)
#1 pc 0007eb78 /system/bin/linker (__dl_syscall+40)
#2 pc 00004681 /system/bin/linker (__dl__ZL24debuggerd_signal_handleriP7siginfoPv+1201)
#3 pc 0078a844 /data/local/tmp/re.frida.server/frida-agent-32.so (offset 0x61e000)
//Function to hoo:
private final void verifySafety(String str) {
h.h.a.d.o.e.a(this).K(generateNonce(), Constants.SAFETY).j(this, new m0(this, str)).g(this, p0.a);
}
//Javascript:
videoActivity.verifySafety.implementation = function(str){
console.log("testing");
};
$ frida-ps -U|head -n 1
PID Name
Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/local/Cellar/python/3.7.2_2/Frameworks/Python.framework/Versions/3.7/lib/python3.7/threading.py", line 917, in _bootstrap_inner
self.run()
File "/usr/local/Cellar/python/3.7.2_2/Frameworks/Python.framework/Versions/3.7/lib/python3.7/threading.py", line 865, in run
self._target(*self._args, **self._kwargs)
File "/usr/local/lib/python3.7/site-packages/frida_tools/application.py", line 431, in _run
work()
File "/usr/local/lib/python3.7/site-packages/frida_tools/application.py", line 280, in _try_start
self._start()
File "/usr/local/lib/python3.7/site-packages/frida_tools/ps.py", line 69, in _start
self._print(line_format % (process.pid, process.name))
File "/usr/local/lib/python3.7/site-packages/frida_tools/application.py", line 346, in _print
print(*encoded_args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/colorama/ansitowin32.py", line 41, in write
self.__convertor.write(text)
File "/usr/local/lib/python3.7/site-packages/colorama/ansitowin32.py", line 162, in write
self.write_and_convert(text)
File "/usr/local/lib/python3.7/site-packages/colorama/ansitowin32.py", line 190, in write_and_convert
self.write_plain_text(text, cursor, len(text))
File "/usr/local/lib/python3.7/site-packages/colorama/ansitowin32.py", line 196, in write_plain_text
self.wrapped.flush()
BrokenPipeError: [Errno 32] Broken pipe
``
It is easy to add strict mode to the repl, the hard part is making sure that defined variables get declared in the global scope instead of the local one.
Hello, PR #8 breaks the send api in Frida scripts. Put send({ "foo": "bar"});
or send('{ "foo": "bar" }');
to a Frida script, run it with repl and you get this exception:
Traceback (most recent call last):
File "threading.py", line 916, in _bootstrap_inner
File "threading.py", line 864, in run
File "frida_tools/application.py", line 452, in _run
File "frida_tools/repl.py", line 158, in <lambda>
File "frida_tools/repl.py", line 444, in _process_message
File "frida_tools/application.py", line 351, in _print
TypeError: sequence item 1: expected str instance, dict found
I tried to fix it and submit PR, but the logic added in #8 completely bypasses the code in _print
that's designed to handle non-string args by joining all args to a single string.
If I'm reading it correctly, it also changes behavior of _print()
with multiple args:
self._print("a", "b")
-> a b
self._print("a", "b")
-> ab
So I'm not sure what you want the fix to be, which behavior of _print
is desired.
I upgraded to Frida 15.2.2 and I have to following problem. I used to load a JS script into Frida REPL and all the functions defined in that script were available in the REPL. In the latest version, even though they are executed from the script, I cannot call them manually from the REPL anymore.
Example script:
function testFunc() {
console.log("testFunc called");
}
Run like this:
> frida -U -F -l test.js --no-pause
In version 15.1.4 I was able to type testFunc
in the REPL (with autocompletion even) and execute this function. In 15.2.2 this function is no longer available.
This could just be user error, but having difficulty using the CLI tools to test the Portal functionality. When starting the portal locally I'm running:
frida-portal --cluster-certificate=frida-cert.pem --cluster-token=foo
And then attempting to connect using frida-join
, running:
frida-join -D [device] "[process]" "127.0.0.1:27042" frida-cert.pem foo
I get the message Joining portal...
which goes for a bit, then ends with Unable to join: timeout was reached.
I've attempted with different combinations of token and certificate and haven't had any success.
Auto reload is great but the way it's implemented it deletes any state in the REPL. I propose to add a flag to disable it.
I personally think auto reload should be off by default but because we can't change it without breaking backwards compatibility I suggest adding the flag --no-auto-reload
. If we want to eventually make it the default I also suggest adding --auto-reload
flag that does nothing so the migration will be easier in the future.
We should also have a way to change the settings from the REPL which mean a %autoreload {on/off}
command.
I plan on implementing it after my magics refactor is merged.
I'm developing a feature called "quick command" in frida REPL, like:
[Local::a.exe ]-> .d 401000 10
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00401000 55 8b ec 81 c4 fc fe ff ff 8b 45 0c 83 f8 01 75 U.........E....u
The quick cmd starts with '.' (same as nodejs REPL), and can be customized dynamically by the javascript loaded.
For example, register a new quick cmd 'u' in agent.js
:
REPL.register_quick_cmd(
'u', // the quick cmd
1, // at least 1 argument
function disasm(addr, inst_cnt = 10) { ... } // target function
)
Which can be used in REPL:
[Local::a.exe ]-> .u 401000
00401000 push ebp
00401001 mov ebp, esp
00401003 add esp, 0xfffffefc
00401009 mov eax, dword ptr [ebp + 0xc]
0040100C cmp eax, 1
0040100F jne 0x401028
00401011 push dword ptr [0x403864]
00401017 push 1
00401019 push 0x466
0040101E push dword ptr [ebp + 8]
I have not contributed to this project yet, and would like to know if it is possble to make a pull request for this feature directly?
It appears that something in Frida 16.0.7 causes an error message to appear on launch of multiple tools within Frida-Tools (frida-ls-devices and frida-ps have been confirmed). 16.0.6 does not experience the same issue. I've experienced this with Python 3.9, 3.10, and 3.11. Frida-Tools is the latest version (12.0.3). This is on MacOS. See screenshot for example. Error message is:
~/Desktop/objection $ frida-ls-devices
Traceback (most recent call last):
File "/Library/Frameworks/Python.framework/Versions/3.11/bin/frida-ls-devices", line 8, in <module>
sys.exit(main())
^^^^^^
File "/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/frida_tools/lsd.py", line 109, in main
app.run()
File "/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/frida_tools/application.py", line 386, in run
self._reactor.run()
File "/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/frida_tools/reactor.py", line 44, in run
self._run_until_return(self)
File "/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/frida_tools/application.py", line 71, in await_enter
input_with_cancellable(reactor.ui_cancellable)
File "/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/frida_tools/application.py", line 59, in input_with_cancellable
rlist, _, _ = select.select([sys.stdin, cancellable_fd], [], [])
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ValueError: file descriptor cannot be a negative integer (-42)
Could someone give me a little detail about the itrace tool?
[ agents\tracer\agent.ts ]
Is it feasible to increase the members limit (1000) ?
I got crash after raising it to 2000+, Is there anything else that needs to be changed?
// async function getHandlers
let size = 0;
for (const { name, members: pendingMembers } of pendingScopes) {
const curMembers: MemberName[] = [];
curScopes.push({
name,
members: curMembers
});
let exhausted = false;
for (const member of pendingMembers) {
curMembers.push(member);
size++;
if (size === 1000) {
exhausted = true;
break;
}
}
if (exhausted) {
break;
}
}
}
I noticed that the frida CLI does not honor the --no-pause
flag when using the --await
option.
This was useful for me, so I've submitted a PR #111 if that's generally useful.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.